[kleopatra] [Bug 380034] New: Possible exploit: If signed message has added arbitrary text in third line, Kleopatra doesnt warn user that "gpg: Invalid armor header:[content of line]"

lurker69 Sat, 20 May 2017 07:32:40 -0700

https://bugs.kde.org/show_bug.cgi?id=380034


            Bug ID: 380034
           Summary: Possible exploit: If signed message has added
                    arbitrary text in third line, Kleopatra doesnt warn
                    user that "gpg: Invalid armor header:[content of
                    line]"
           Product: kleopatra
           Version: unspecified
          Platform: Other
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: [email protected]
          Reporter: [email protected]
                CC: [email protected], [email protected]
  Target Milestone: ---

When verifying signed message in this format: https://pastebin.com/raw/yEiTHhvF 
anybody can insert any text in third line, and Kleopatra will verify message
and not notify user that Header contained a line that should not be there. 


GPG2.exe or GPG in linux bash show warning:  
gpg: Invalid armor header: [inserted line] https://i.imgur.com/V28UTgJ.jpg

Kleopatra omits this warning and just shows green verification successful
window.
https://i.imgur.com/0w3AasI.jpg


You can reproduce this with: 
https://pastebin.com/raw/yEiTHhvF  <--original unaltered
https://pastebin.com/raw/np4v7ZFM  <--altered message that also verifies in GUI
but shows warning in command prompt 
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x181F01E57A35090F

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[kleopatra] [Bug 380034] New: Possible exploit: If signed message has added arbitrary text in third line, Kleopatra doesnt warn user that "gpg: Invalid armor header:[content of line]"

Reply via email to